CDN improvement / libraries upgrade

- introduce integrity & crossorigin - upgrade jquery 2.1.4 to 2.2.4 - upgrade bootstrap 3.3.5 to 3.3.6 - use minified versions of jquery-ui 1.11.4 - upgrade FontAwesome 4.4.0 to 4.6.3 - update corresponding local files Fixes #21214, #21215, #21216, #21217
mantisbt · Jul 10, 2016 · ac06d37 · ac06d37
1 parent f2807f2
commit ac06d37
Show file tree

Hide file tree

Showing 20 changed files with 126 additions and 1,289 deletions.
diff --git a/core/constant_inc.php b/core/constant_inc.php
@@ -602,12 +602,15 @@
 define( 'ERROR_FTP_CONNECT_ERROR', 16 );            # N/A
 
 # JQuery and JQuery UI
-define ( 'JQUERY_VERSION', '2.1.4' );
+define ( 'JQUERY_VERSION', '2.2.4' );
+define ( 'JQUERY_HASH', 'sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44' );
 define ( 'JQUERY_UI_VERSION', '1.11.4' );
+define ( 'JQUERY_UI_HASH', 'sha256-xNjb53/rY+WmG+4L6tTl9m6PpqknWZvRt0rO1SRnJzw' );
 
 # Bootstrap & FontAwesome
-define ( 'BOOTSTRAP_VERSION', '3.3.5' );
-define ( 'FONT_AWESOME_VERSION', '4.4.0' );
+define ( 'BOOTSTRAP_VERSION', '3.3.6' );
+define ( 'BOOTSTRAP_HASH', 'sha256-KXn5puMvxCw+dAYznun+drMdG1IFl3agK0p/pqT9KAo' );
+define ( 'FONT_AWESOME_VERSION', '4.6.3' );
 
 # Byte Order Markers
 define( 'UTF8_BOM', "\xEF\xBB\xBF" );

diff --git a/core/html_api.php b/core/html_api.php
@@ -127,16 +127,21 @@ function html_rss_link() {
  * @return void
  */
 function html_javascript_link( $p_filename ) {
-	echo "\t", '<script type="text/javascript" src="', helper_mantis_url( 'js/' . $p_filename ), '"></script>' . "\n";
+	echo "\t", '<script type="text/javascript" src="', helper_mantis_url( 'js/' . $p_filename ), '"></script>', "\n";
 }
 
 /**
  * Prints a <script> tag to include a JavaScript file.
  * @param string $p_url fully qualified domain name for the cdn js file
+ * @param string $p_hash resource hash to perform subresource integrity check
  * @return void
  */
-function html_javascript_cdn_link( $p_url ) {
-	echo "\t", '<script type="text/javascript" src="', $p_url, '"></script>' . "\n";
+function html_javascript_cdn_link( $p_url, $p_hash = '' ) {
+	$t_integrity = '';
+	if( $p_hash !== '' ) {
+		$t_integrity = 'integrity="' . $p_hash . '" ';
+	}
+	echo "\t", '<script type="text/javascript" src="', $p_url, '" ', $t_integrity, 'crossorigin="anonymous"></script>', "\n";
 }
 
 /**
@@ -204,7 +209,7 @@ function html_css() {
 	html_css_link( config_get( 'css_include_file' ) );
 
 	if ( config_get_global( 'cdn_enabled' ) == ON ) {
-		html_css_cdn_link( 'https://ajax.googleapis.com/ajax/libs/jqueryui/' . JQUERY_UI_VERSION . '/themes/smoothness/jquery-ui.css' );
+		html_css_cdn_link( 'https://ajax.googleapis.com/ajax/libs/jqueryui/' . JQUERY_UI_VERSION . '/themes/smoothness/jquery-ui.min.css' );
 	} else {
 		html_css_link( 'jquery-ui-' . JQUERY_UI_VERSION . '.min.css' );
 	}
@@ -229,7 +234,7 @@ function html_css_link( $p_filename ) {
 	if( $p_filename == basename( $p_filename ) ) {
 		$p_filename = 'css/' . $p_filename;
 	}
-	echo "\t", '<link rel="stylesheet" type="text/css" href="', string_sanitize_url( helper_mantis_url( $p_filename ), true ), '" />' . "\n";
+	echo "\t", '<link rel="stylesheet" type="text/css" href="', string_sanitize_url( helper_mantis_url( $p_filename ), true ), '" />', "\n";
 }
 
 /**
@@ -238,7 +243,7 @@ function html_css_link( $p_filename ) {
  * @return void
  */
 function html_css_cdn_link( $p_url ) {
-	echo "\t", '<link rel="stylesheet" type="text/css" href="', $p_url, '" />' . "\n";
+	echo "\t", '<link rel="stylesheet" type="text/css" href="', $p_url, '" crossorigin="anonymous" />', "\n";
 }
 
 /**
@@ -295,8 +300,8 @@ function html_head_javascript() {
 	echo "\t" . '<script type="text/javascript" src="' . helper_mantis_url( 'javascript_translations.php' ) . '"></script>' . "\n";
 
 	if ( config_get_global( 'cdn_enabled' ) == ON ) {
-		echo "\t" . '<script src="https://ajax.googleapis.com/ajax/libs/jquery/' . JQUERY_VERSION . '/jquery.min.js"></script>' . "\n";
-		echo "\t" . '<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/' . JQUERY_UI_VERSION . '/jquery-ui.min.js"></script>' . "\n";
+		html_javascript_cdn_link( 'https://ajax.googleapis.com/ajax/libs/jquery/' . JQUERY_VERSION . '/jquery.min.js', JQUERY_HASH );
+		html_javascript_cdn_link( 'https://ajax.googleapis.com/ajax/libs/jqueryui/' . JQUERY_UI_VERSION . '/jquery-ui.min.js', JQUERY_UI_HASH );
 	} else {
 		html_javascript_link( 'jquery-' . JQUERY_VERSION . '.min.js' );
 		html_javascript_link( 'jquery-ui-' . JQUERY_UI_VERSION . '.min.js' );

diff --git a/core/layout_api.php b/core/layout_api.php
@@ -285,7 +285,7 @@ function layout_head_javascript() {
 function layout_body_javascript() {
 	# bootstrap
 	if ( config_get_global( 'cdn_enabled' ) == ON ) {
-		html_javascript_cdn_link( 'https://maxcdn.bootstrapcdn.com/bootstrap/' . BOOTSTRAP_VERSION . '/js/bootstrap.min.js' );
+		html_javascript_cdn_link( 'https://maxcdn.bootstrapcdn.com/bootstrap/' . BOOTSTRAP_VERSION . '/js/bootstrap.min.js', BOOTSTRAP_HASH );
 	} else {
 		html_javascript_link( 'bootstrap-' . BOOTSTRAP_VERSION . '.min.js' );
 	}

diff --git a/css/bootstrap-3.3.5.min.css b/css/bootstrap-3.3.5.min.css
diff --git a/css/bootstrap-3.3.6.min.css b/css/bootstrap-3.3.6.min.css
diff --git a/css/font-awesome-4.4.0.min.css b/css/font-awesome-4.4.0.min.css
diff --git a/css/font-awesome-4.6.3.min.css b/css/font-awesome-4.6.3.min.css